Security

Reply

Process of Captive Portal Authentication with ClearPass Guest

Hello guys,

 

I can't completely understand how captive portal authentication with ClearPass Guest works. Could anyone explain in more detail steps 3 to 5 of the below picture?

original.png

 

I have read something about in some point of the process the client sends the credentials directly to ClearPass (skipping NAD), ClearPass replies directly to the client (skipping NAD again) and then client sends the credentials to NAD and then NAD to ClearPass. Also I have read something about ClearPass POST the user credentials to the NAD device? All this sounds very weird to me. Is there any documentation of the entire process? I have only found the following article:

 

http://community.arubanetworks.com/t5/07-19-13-Expert-Day/How-does-captive-portal-authentication-really-work-with/td-p/87208

 

But this is not explained in detail. I have also found this:

 

http://www.arubanetworks.com/vrd/GuestAccessAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm

 

Which is very well explained, but it doesn't include the part of ClearPass.

 

Regards,

Julián

Guru Elite

Re: Process of Captive Portal Authentication with ClearPass Guest

 

3 and 4 are the local internal ClearPass credential check to the local user database.

 

5 is where the client browser submits the credentials to the controller. The controller iniaates a RADIUS request to ClearPass. 

 

6 - If authentication is successful, ClearPass response with an access accept. 

 

What errors are you seeing? What isn't working?


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Process of Captive Portal Authentication with ClearPass Guest

Then let me know if this is correct:

 

3 - When the client is entering the credentials in the Web Login page and click on "Login", are the credentials sent directly to ClearPass (with no intervention of NAD device)?

 

4 - ClearPass checks the credentials in its database and reponds directly to client (again with no intervention of NAD device) saying "Logging in..." or "Invalid username or password".

 

5 - Client sends credentials to NAD and NAD sends them in a RADIUS request to ClearPass.

 

Regards,

Julián

Guru Elite

Re: Process of Captive Portal Authentication with ClearPass Guest

Yes


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Process of Captive Portal Authentication with ClearPass Guest

OK, perfect. Then there is not step where ClearPass sends the user credentials back to the NAD device, right?

 

Regards,

Julián

Guru Elite

Re: Process of Captive Portal Authentication with ClearPass Guest

No. They're submitted through the browser to the controller.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Process of Captive Portal Authentication with ClearPass Guest

OK, many thanks for the clarifications. Now I understand better this process.

 

Regards,

Julián

New Contributor

Re: Process of Captive Portal Authentication with ClearPass Guest

Hello! So, regading this same issue:

3- When the customer clicks Login button, the user credentials are sent to the Clearpass directly? So, they aren't proxied by the NAD?

4- ClearPass checks the credentials in its database and reponds directly to client (again with no intervention of NAD device).

So what types of messages/response does it send back to the customer?

 

I have a Clearpass enviroment and when I click Login always get: "Error 404: Page not found". So is this one of those messages I could get at step 4? Before the NAD even makes the RADIUS request?

 

Thanks!

Re: Process of Captive Portal Authentication with ClearPass Guest

All the RADIUS communication is sent via the NAD (Authentication , Authorization)

The only direct communication the client has with ClearPass is the captive portal page

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: